Related
hi,
two days ago i rooted my Nexus One FRF91-Vodafone with these two methods ( forum.xda-developers.com/showthread.php?p=7548842 and forum.xda-developers.com/showthread.php?t=736271). Still some commands of adb don't work and i can't find a solution.
Code:
C:\>cd android/tools
C:\android\tools>adb devices
* daemon not running. starting it now *
* daemon started successfully *
List of devices attached
HT05EP800252 device
C:\android\tools>adb shell
$ su
su
# id
id
uid=0(root) gid=0(root)
# exit
exit
$ exit
exit
C:\android\tools>adb remount
remount failed: Operation not permitted
C:\android\tools>adb root
adbd cannot run as root in production builds
C:\android\tools>
as you can see the device is connected in debug mode and i am rooted but the commands "adb remount" and "adb root" don't work (and maybe some other commands? i don't know). does it happen because the bootloader is still locked? if so, is there a way to have those commands working without unlocking it? if not, what could it be?
sorry for my english
thanks a lot
I'd have to guess because "remount" and "root" are not the way to do it.. Where are you seeing this is the way to do what you need to do?
how shoul it be used? i found a lot place where is written just like that. besides i read that the default.prop should be like this:
Code:
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=0
ro.allow.mock.location=0
ro.debuggable=1
persist.service.adb.enable=1
for adb to work properly
but mine is like this
Code:
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=1
ro.allow.mock.location=0
ro.debuggable=0
persist.service.adb.enable=0
and i don't understand why, i cant change it because it's a read-only file
What about:
Code:
mount -o remount,rw /system
?
i have this same problem, im guessing you went the way without unlocking your bootloader?
if so i dont think you can do adb remount
but what you can do is this method
adb shell
su
#mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
this will remount your phone system to read-write and you should be good to push/pull/cp/rm/clear/ and what your trying to do
Thanks for the info. I was having the same issue with my N1. The full mount path worked
Kage_
If you're really slick, I imagine you could add an alias "remount" to your shell profile script (.csh or something similar) to execute that full command for you when you needed it
The ICS404root script package has a fatal bug if a broken su already exists. Here's what happened on my D4.
I had root working fine on the GB version that shipped when I got the phone
I updated my stock (but rooted) D4 to 6.13.219 using normal OTA update and like an idiot, I forgot to use a root-keeper.
Confirmed root was broken as expected
Updated to ICS with "D4 6.16.217.zip". (I did no wipes other than the cache partition).
Everything worked fine and ICS is up and running
I ran the ICS404root.zip script package and get the following:
Code:
ICS404root # sh linux_runme_root_script.sh
Pushing files from root package to device...
4393 KB/s (586212 bytes in 0.130s)
4554 KB/s (1862336 bytes in 0.399s)
15 KB/s (660 bytes in 0.042s)
473 KB/s (22364 bytes in 0.046s)
Removing local copies.
Setting permissions.
Rebooting device...
Waiting for device to boot...
Attempting to place su binary on /system...
debugfs 1.42 (29-Nov-2011)
debugfs: debugfs: write: The file 'su' already exists
debugfs: debugfs: debugfs: debugfs: Cleaning up...
Rooting completed, must reboot.
Rebooting device...
Rooted.
So I have an old broken root on my phone, and this breaks the root script. I tried reinstalling superuser, but could only "uninstall updates" rather than uninstalling. (Uninstalling updates and re-installing them did not work.) I tried installing busybox but got root denied messages.
I *really* don't want to wipe my /system to fix this. Can the script be modified to deal with pre-existing su binaries?
UPDATE: (partially solved)
I ran debugfs in interactive mode and did a
Code:
debugfs: cd xbin
debugfs: rm su
debugfs: cd ..
debugfs: cd bin
debugfs: rm su
Then I completed the root hack manually and rebooted. I then updated Superuser and ran Titanium since I saw somewhere in a thread the TB will correct permissions on the su binary if they were funky. Sure enough it changed su from 4755 to 6755. After a reboot, everything was fine!
So... Root is attainable on ICS in the presence of a broken GB root, but the script should still be updated to deal with this.
ryanmcdonald said:
UPDATE: (partially solved)
I ran debugfs in interactive mode and did a
Code:
debugfs: cd xbin
debugfs: rm su
debugfs: cd ..
debugfs: cd bin
debugfs: rm su
Then I completed the root hack manually and rebooted. I then updated Superuser and ran Titanium since I saw somewhere in a thread the TB will correct permissions on the su binary if they were funky. Sure enough it changed su from 4755 to 6755. After a reboot, everything was fine!
So... Root is attainable on ICS in the presence of a broken GB root, but the script should still be updated to deal with this.
Click to expand...
Click to collapse
looks like i have the same issue except i got there a different way. i did use rootkeeper (though didn't do temp unroot before allowing OTA update to run), so i lost root when going to ics. not a big deal though, as the ics404root util worked fine to re-root.
well, i was having some odd issues like no sound when getting an sms, among others, so decided to do factory reset (without unrooting first). su is gone from the app drawer, but apparently it's still there as i get the same "debugfs: debugfs: write: The file 'su' already exists". i had to add a pause to the end of the batch file to be able to see that message, since it quits whether it worked or not, and you never see it.
i'm not familiar with what you mentioned about running debugfs in interactive. i tried using adb shell to poke around to see if i could find su and mv it to a .bak or something, but my linux command line skills are apparently too rusty. i found su in /system, but since /system is mounted as read only, i can't do anything. i eventually figured out how to get into interactive mode (forgot i had to specify the full path to debugfs since it's not in the default search path), but it tells me fs not open. i try to open, but i don't know what to give it for things like block size, etc:
Code:
[email protected]_maserati:/ $ /data/local/12m/debugfs
/data/local/12m/debugfs
debugfs 1.42 (29-Nov-2011)
debugfs: cd xbin
cd xbin
cd: Filesystem not open
debugfs: open_filesys
open_filesys
open_filesys: Usage: open [-s superblock] [-b blocksize] [-c] [-w] <device>
when looking around in adb shell, i could only find an su in /system/xbin - if i could come up with a way to delete this via adb, i think i could just run the regular root script and be done. any ideas?
still broken. i found a command that let me remount /system as rw, then i used rm su and verified it was gone w/ ls. re-ran ics404root batch file. no errors this time, but still no root on the phone. it seems to be putting su in there, but apparently it's corrupt. the way i check for root is to simply start titanium. right away it says it couldn't get root privileges.
Code:
C:\temp\droid4\ICS404root>adb shell
[email protected]_maserati:/ $ su
su
[email protected]_maserati:/ # mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /syste
m
2 /dev/block/mtdblock3 /system <
[email protected]_maserati:/ # cd /system/xbin
cd /system/xbin
[email protected]_maserati:/system/xbin # ls s*
ls s*
script
scriptreplay
sed
sendmail
seq
setarch
setconsole
setfont
setkeycodes
setlogcons
setsid
setuidgid
sh
sha1sum
sha256sum
sha512sum
showkey
slattach
sleep
smemcap
softlimit
sort
split
start-stop-daemon
stat
strings
stty
su
su.bak
sulogin
sum
sv
svlogd
swapoff
swapon
switch_root
sync
sysctl
syslogd
[email protected]_maserati:/system/xbin # rm su
rm su
[email protected]_maserati:/system/xbin # ls s*
ls s*
script
scriptreplay
sed
sendmail
seq
setarch
setconsole
setfont
setkeycodes
setlogcons
setsid
setuidgid
sh
sha1sum
sha256sum
sha512sum
showkey
slattach
sleep
smemcap
softlimit
sort
split
start-stop-daemon
stat
strings
stty
su.bak
sulogin
sum
sv
svlogd
swapoff
swapon
switch_root
sync
sysctl
syslogd
[email protected]_maserati:/system/xbin # rm su.bak
rm su.bak
[email protected]_maserati:/system/xbin # ls s*
ls s*
script
scriptreplay
sed
sendmail
seq
setarch
setconsole
setfont
setkeycodes
setlogcons
setsid
setuidgid
sh
sha1sum
sha256sum
sha512sum
showkey
slattach
sleep
smemcap
softlimit
sort
split
start-stop-daemon
stat
strings
stty
sulogin
sum
sv
svlogd
swapoff
swapon
switch_root
sync
sysctl
syslogd
[email protected]_maserati:/system/xbin # exit
exit
[email protected]_maserati:/ $ exit
exit
i have modified the batch file. i turned echo on and rem'd out the delete statements so i could see what was going on and so i wouldn't have to unzip it every time i tried it. (why does it delete the local stuff anyway?) i also added a pause at the end.
Code:
C:\temp\droid4\ICS404root>echo Connect your phone via USB to your PC and be sure
Connect your phone via USB to your PC and be sure
C:\temp\droid4\ICS404root>echo it ISN'T set to mount as a mass storage device.
it ISN'T set to mount as a mass storage device.
C:\temp\droid4\ICS404root>echo (ENTER to continue or push Ctrl-C to exit)
(ENTER to continue or push Ctrl-C to exit)
C:\temp\droid4\ICS404root>pause
Press any key to continue . . .
C:\temp\droid4\ICS404root>echo "Pushing files from root package to device..."
"Pushing files from root package to device..."
C:\temp\droid4\ICS404root>adb push busybox /data/local/12m/
2434 KB/s (586212 bytes in 0.235s)
C:\temp\droid4\ICS404root>adb push debugfs /data/local/12m/
2774 KB/s (1862336 bytes in 0.655s)
C:\temp\droid4\ICS404root>adb push rooter /data/local/12m/
71 KB/s (660 bytes in 0.009s)
C:\temp\droid4\ICS404root>adb push su /data/local/12m/
1818 KB/s (22364 bytes in 0.012s)
C:\temp\droid4\ICS404root>echo "Removing local copies."
"Removing local copies."
C:\temp\droid4\ICS404root>rem del busybox
C:\temp\droid4\ICS404root>rem del debugfs
C:\temp\droid4\ICS404root>rem del rooter
C:\temp\droid4\ICS404root>rem del su
C:\temp\droid4\ICS404root>echo "Setting permissions."
"Setting permissions."
C:\temp\droid4\ICS404root>adb shell chmod 755 /data/local/12m/busybox
C:\temp\droid4\ICS404root>adb shell chmod 755 /data/local/12m/debugfs
C:\temp\droid4\ICS404root>adb shell chmod 755 /data/local/12m/rooter
C:\temp\droid4\ICS404root>adb shell chmod 755 /data/local/12m/su
C:\temp\droid4\ICS404root>adb shell mv /data/local/12m/batch /data/local/12m/bat
ch.bak
C:\temp\droid4\ICS404root>adb shell ln -s /dev/block/mmcblk1p20 /data/local/12m/
batch
C:\temp\droid4\ICS404root>echo "Rebooting device..."
"Rebooting device..."
C:\temp\droid4\ICS404root>adb reboot
C:\temp\droid4\ICS404root>echo "Waiting for device to boot..."
"Waiting for device to boot..."
C:\temp\droid4\ICS404root>adb wait-for-device shell /data/local/12m/rooter
Attempting to place su binary on /system...
debugfs 1.42 (29-Nov-2011)
debugfs: debugfs: Allocated inode: 4359
debugfs: debugfs: debugfs: debugfs: Cleaning up...
Rooting completed, must reboot.
C:\temp\droid4\ICS404root>adb shell rm /data/local/12m/rooter
C:\temp\droid4\ICS404root>echo "Rebooting device..."
"Rebooting device..."
C:\temp\droid4\ICS404root>adb reboot
C:\temp\droid4\ICS404root>echo "Rooted."
"Rooted."
C:\temp\droid4\ICS404root>rem del AdbWinUsbApi.dll
C:\temp\droid4\ICS404root>rem del AdbWinApi.dll
C:\temp\droid4\ICS404root>rem del adb.exe
C:\temp\droid4\ICS404root>rem del linux_runme_root_script.sh
C:\temp\droid4\ICS404root>del
The syntax of the command is incorrect.
C:\temp\droid4\ICS404root>pause
Press any key to continue . . .
C:\temp\droid4\ICS404root>
i'm kinda stuck at this point, but at least my phone isn't bricked. but considering all the issues i've had w/ ICS (the separate notification and ringtone volumes which cannot be linked being the TOP of my sh*t list, right after the crappy dialer, the lousy SMS client (seriously, gray on black? i cant read that!) and the list goes on and on...) i'd honestly rather go back to stock rooted GB. chrome was the only other reason i wanted ics and it seemed to be pretty poorly implemented to me, so i have no more interest in ICS.
i almost wonder if it's worth intentionally bricking it and bringing it back to vzw for exchange, and hopefully the new one won't have ics yet.
ok, i am rooted again! i had to use the Droid 4 Utility ICS Only to do it. the links to the LITE version are broken, so i had to download the entire 600mb package, but it worked to root my phone. now to start reinstalling stuff w/ titanium!
I have an un-rooted device, with Android 5.0 system, and the core is ARM Coretex A53.
I happen to found "adb root" works, that means I can play as root through ADB shell.
I successfully deleted a trash apk, renowned "kingroot", from my system.
Then, I try to manually update su and SuperSu file, through the bellowing commands:
# mount -o rw,remount /system
# cp /sdcard/mrw/su /system/xbin/su
# cp /sdcard/mrw/su /system/bin/su
# pm install /sdcard/mrw/superuser.apk
(I'm using a 2.46 SuperSu version, which should be OK for Android 5.0 system)
But it fails. The SuperSu told me " su binary not installed".
My questions:
1. Is this a feasible way to update Su and SuperSu, and get root access?
2. There's a bunch of architect, I tried both "arm" and "arm64", but none of the su binary can work. Which architect shall I choose, when I'm running on a ARM Coretex A53 core? ( I know it is a 64bit core)
Thanks a lot, and Best Regards,
towenyu
Did you get this device secondhand? Also what device is it, since many have their own root method because of OEM crap.
That said, you only need su in one location, either /system/xbin/su or /system/bin/su (I typically see it in /system/xbin/su). I'm not sure what happens if it's in both, but it's just wasted space.
You can try these commands through adb root; since you already were able to get su onto your device, it may be just a matter of ownership and permissions:
Code:
# mount -o rw,remount /system
# chmod 755 /system/xbin/su
# chown root:root /system/xbin/su
# mount -o ro,remount /system
chown 755 sets the permissions to rwxr-xr-x (user gets read/write/execute, group/other gets read/execute). Execute is the important bit here, since otherwise the su binary can't do its job. After those commands, try SuperSU again and see if it works (you might need a reboot, because of how Android 5.0+ handles changes to /system) The last mount -o ro command just changes /system back to read-only, to prevent accidental changes to other parts.
Successfully rooted!
Not that simple, but basically follow the update-binary script already inside supersu package.
Only need to made slight modification due to my system won't support "unzip"
Now that you're successfully rooted, go install Busybox, that'll give you a lot of Linux commands Android doesn't have by default, including unzip.
xfullmetal17 said:
Now that you're successfully rooted, go install Busybox, that'll give you a lot of Linux commands Android doesn't have by default, including unzip.
Click to expand...
Click to collapse
Thanks for your advice! I will try it.
But don't there's already a Busybox in android system? I guess what I need to do is find somewhere a more powerful busybox binary -- or build it by my own, but that may be not so easy for me.
Android has some basic Linux commands support, but I don't think it has Busybox (if you have a custom ROM you may have some additional commands, but since you said unrooted I don't think it was installed.
This is one of the most popular installers for Busybox: https://play.google.com/store/apps/details?id=stericson.busybox
I've used it since I first rooted with Android 2.2 and haven't had any issues with it (save for lack of vim, since stock Android doesn't have the correct libraries for it)
rooting my htc m9 running marshmallow
Hi, I'm totally blind, and twrp isn't an option for me since it doesn't have a built in screen reader. I would like to install supersu to system, would some one kindly help me in telling me what files to put where. I think the m9 is arm64, but besides su and supersu.apk, I think there's installrecovery.ssh and some other files that have to go in, so please help some one
xfullmetal17 said:
Android has some basic Linux commands support, but I don't think it has Busybox (if you have a custom ROM you may have some additional commands, but since you said unrooted I don't think it was installed.
This is one of the most popular installers for Busybox: https://play.google.com/store/apps/details?id=stericson.busybox
I've used it since I first rooted with Android 2.2 and haven't had any issues with it (save for lack of vim, since stock Android doesn't have the correct libraries for it)
Click to expand...
Click to collapse
Hi guys ,
it is possible to run manualy via adb shell update-binary file from META-INF supersu folder for install it ? (means before unpacked folder supersu is copied to ex. /tmp)
I'm asking bcose no custom recovery and no root on my device yet.
Thx
nalas said:
Hi guys ,
it is possible to run manualy via adb shell update-binary file from META-INF supersu folder for install it ? (means before unpacked folder supersu is copied to ex. /tmp)
I'm asking bcose no custom recovery and no root on my device yet.
Thx
Click to expand...
Click to collapse
I have same saturation, no TWRP, no SU installed on my device: [email protected]_cn:/ #, Android M,
What I have is a userdebug boot.img support "adb root", so my draft commands in my mind please run one by one, not batch.. WARNING, this may make your system bootloop,take your own risk!!!.)
fastboot flash boot boot_userdebug.img
fastboot reboot
adb wait-for-device
adb root
adb remount
adb disable-verity
adb shell setenforce 0
adb reboot
cd D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64
adb wait-for-device
adb root
adb remount
adb shell setenforce 0
adb push .\su /system/bin/su
adb push .\su /system/xbin/su
adb shell chmod 06755 /system/bin/su
adb shell chmod 06755 /system/xbin/su
adb shell /system/bin/su --install
adb shell /system/bin/su --daemon&
adb install ..\common\Superuser.apk
adb shell setenforce 0
adb disable-verity
if you found SuperSU not found root, try adb shell setenforce 0 again.
then you can get SuperSU found su file need to update, use normal way to do it.
then, it will be "Installation success !"
Enjoy it.
so reference log:
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb push su /system/bin/su
adb: error: failed to copy 'su' to '/system/bin/su': Read-only file system
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb root
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb push su /system/bin/su
adb: error: failed to copy 'su' to '/system/bin/su': Read-only file system
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb remount
remount succeeded
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb push su /system/bin/su
[100%] /system/bin/su
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb push su /system/xbin/su
adb: error: failed to copy 'su' to '/system/xbin/su': Read-only file system
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb shell
[email protected]_cn:/ # su
[email protected]_cn:/ # cd /system/bin
[email protected]_cn:/system/bin # chmod 06755 su
chmod: chmod 'su' to 106755: Read-only file system
1|[email protected]_cn:/system/bin # ls su
su
[email protected]_cn:/system/bin # ls -al su
-rwxr-xr-x root shell 108496 2008-02-29 03:33 su
[email protected]_cn:/system/bin # su --intall
[email protected]_cn:/system/bin # su --daemon&
[1] 6146
[email protected]_cn:/system/bin # getenforce
Enforcing
[1] + Done su --daemon
[email protected]_cn:/system/bin # setenforce 0
[email protected]_cn:/system/bin # getenforce
Permissive
[email protected]_cn:/system/bin # exit
[email protected]_cn:/system/bin # exit
[email protected]_cn:/ # exit
/system/bin/su
exit
^C
Azlun said:
I have same saturation, no TWRP, no SU installed on my device: [email protected]_cn:/ #, Android M,
What I have is a userdebug boot.img support "adb root", so my draft commands in my mind please run one by one, not batch.. WARNING, this may make your system bootloop,take your own risk!!!.)
fastboot flash boot boot_userdebug.img
fastboot reboot
adb wait-for-device
adb root
adb remount
adb disable-verity
adb shell setenforce 0
adb reboot
cd D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64
adb wait-for-device
adb root
adb remount
adb shell setenforce 0
adb push .\su /system/bin/su
adb push .\su /system/xbin/su
adb shell chmod 06755 /system/bin/su
adb shell chmod 06755 /system/xbin/su
adb shell /system/bin/su --install
adb shell /system/bin/su --daemon&
adb install ..\common\Superuser.apk
adb shell setenforce 0
adb disable-verity
if you found SuperSU not found root, try adb shell setenforce 0 again.
then you can get SuperSU found su file need to update, use normal way to do it.
then, it will be "Installation success !"
Enjoy it.
so reference log:
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb push su /system/bin/su
adb: error: failed to copy 'su' to '/system/bin/su': Read-only file system
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb root
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb push su /system/bin/su
adb: error: failed to copy 'su' to '/system/bin/su': Read-only file system
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb remount
remount succeeded
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb push su /system/bin/su
[100%] /system/bin/su
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb push su /system/xbin/su
adb: error: failed to copy 'su' to '/system/xbin/su': Read-only file system
D:\tools\Downloads\SR3-SuperSU-v2.82-SR3-20170813133244\arm64>adb shell
[email protected]_cn:/ # su
[email protected]_cn:/ # cd /system/bin
[email protected]_cn:/system/bin # chmod 06755 su
chmod: chmod 'su' to 106755: Read-only file system
1|[email protected]_cn:/system/bin # ls su
su
[email protected]_cn:/system/bin # ls -al su
-rwxr-xr-x root shell 108496 2008-02-29 03:33 su
[email protected]_cn:/system/bin # su --intall
[email protected]_cn:/system/bin # su --daemon&
[1] 6146
[email protected]_cn:/system/bin # getenforce
Enforcing
[1] + Done su --daemon
[email protected]_cn:/system/bin # setenforce 0
[email protected]_cn:/system/bin # getenforce
Permissive
[email protected]_cn:/system/bin # exit
[email protected]_cn:/system/bin # exit
[email protected]_cn:/ # exit
/system/bin/su
exit
^C
Click to expand...
Click to collapse
Thank You - I will check and give feedback
Can I somehow just copy su and supersu files to phone (stock ROM) with full root shell to get root? Unfortunately bootloader is locked and only root shell is available.
user4978023 said:
Can I somehow just copy su and supersu files to phone (stock ROM) with full root shell to get root? Unfortunately bootloader is locked and only root shell is available.
Click to expand...
Click to collapse
Of course not. If it were that easy rooting would be a non-issue for devices with a locked bootloader.
towenyu said:
Successfully rooted!
Not that simple, but basically follow the update-binary script already inside supersu package.
Only need to made slight modification due to my system won't support "unzip"
Click to expand...
Click to collapse
Can you give more details ?
I'm in a similar situation (/system/bin/su and /system/xbin/su "updated" from Supersu zip , root access from adb shell , rom built as userdebug) but I'm unable to launch the update-binary through adb to get the TV fully rooted..
This post seeks attention of Senior XDA developers who are contributors of Magisk:
I have been struggling to fix Magisk mount and SU execution on VIVO devices.
Magisk issue #5148
VIVO/iQOO kernel restictions: "Operation not permitted" when executing `su` or mounting to `/system`, or bootloops if rooted · Issue #5148 · topjohnwu/Magisk
Device: iQOO Z1/VIVO X70 PRO/iQOO NEO3, and more Android version: N/A Magisk version name: N/A Magisk version code: N/A, but more serious since 24302 Magisk fails to mount /system on some Vivo/iQOO...
github.com
I am ready to work together to the best of my technical capacity.
I will pay for your test device and a special bounty for your hard work and development efforts.
Interested developers please reach out to me.
Actual problem is on Vivo devices only. Tested on Vivo Y33s and Y21.
When you call su, it returns: "Operation not permitted"
Trying to run /dev/xxxx/Magisk --daemon: "No daemon is currently running"
Previous attempts:
Problem seems to be SELinux policy, if you attempt to manually run from android debug builds, then the daemon is properly loaded.
2109:/dev/9Lgz # ./supolicy --magisk
Load policy from: /sys/fs/selinux/policy
2109:/dev/9Lgz # magisk --daemon
2109:/dev/9Lgz # magisk --path
/system/bin
2109:/dev/9Lgz # su
2109:/dev/9Lgz # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),1078(ext_data_rw),1079(ext_obb_rw),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
With this solution, the problem is that we need to run this from "adb root" shell after every boot.
Is there any way to run this locally on a the device having debug build?
Where should I post this thread to find the right developers to solve this problem?
I would highly appreciate some help here.
Maybe you can try change 'su' to 'suu' or 'timesu', as the [ref](http://bbs.ydss.cn/thread-1528844-1-1.html) said.
Good luck and success to you!
JuanLv said:
Maybe you can try change 'su' to 'suu' or 'timesu', as the [ref](http://bbs.ydss.cn/thread-1528844-1-1.html) said.
Good luck and success to you!
Click to expand...
Click to collapse
I tried but no luck (
Looking for developers who have good knowledge of Magisk mount and magiskinit.
NextGenMagisk said:
Looking for developers who have good knowledge of Magisk mount and magiskinit.
Click to expand...
Click to collapse
The developer has made restrictions in the kernel as ref
| https://github.com/topjohnwu/Magisk/issues/5148#issuecomment-1167697477
Maybe we can make a workaround by kernel patch.
I'm not too familiar with these.
Do you have any idea?
JuanLv said:
The developer has made restrictions in the kernel as ref
| https://github.com/topjohnwu/Magisk/issues/5148#issuecomment-1167697477
Maybe we can make a workaround by kernel patch.
I'm not too familiar with these.
Do you have any idea?
Click to expand...
Click to collapse
Thanks for the update. Looks like this issue is not easy to fix and it depends on access to kernel sources for each device model. I am not familiar with Kernel patching.
My ideas are focused around leveraging debug builds to execute SU locally and then make it persist across reboots.
NextGenMagisk said:
Is there any way to run this locally on a the device having debug build?
Click to expand...
Click to collapse
vivo y31, LineageOS 19.1, userdebug
magisk 24.3 can inject code in init.rc, can't mount /system /vendor /oem
magisk >24.3 can't inject code, because magisk switched to new method wich requires mounting /system. Zygisk is broken since 2431*
If you want to have adb root, then you can use phh-su(if you use gsi) and execute in termux
su -c setprop service.adb.root 1
su -c setprop service.adb.tcp.port 5555
su -c stop adbd
su -c start adbd
adb wait-for-device
adb shell whoami
Without phh-su you would need to split screen [termux + developer options/wifi debugging] and pair with code
one time in termux
adb pair localhostort code
no need to split screen anymore
then off -on wifi debugging
adb connect localhost:newport
adb root
off-on wifi debugging again
adb kill-server
adb connect localhost:newnewport
gz! you're root
Another way is to edit init.rc. Just look at magiskrc.inc from the source code.
I have no problems with zygisk and modules on 24.3 magisk. I just mounting overlayfs on top of /system and then just copy all modules into /system.
Here is my .rc script which I pushed in boot.img like this
./magiskboot unpack boot.img
./magiskboot cpio ramdisk.cpio 'add 0644 overlay.d/ofs.rc ofs.rc'
./magiskboot repack boot newboot.img
script
on load_persist_props_action
exec u:r:su:s0 -- /system/bin/mount -t overlay overlay -o lowerdir=/system,upperdir=/data/system/ou,workdir=/data/system/ow /system
on zygote-start
exec u:r:su:s0 -- /system/bin/mount /sbin/.magisk/zygisk/app_process32 /system/bin/app_process32
exec u:r:su:s0 -- /system/bin/mount /sbin/.magisk/zygisk/app_process64 /system/bin/app_process64
Then just create two folders
/data/system/ou
/data/system/ow
And copy modules files in upper layer(real system will not be modified)
su -c cp -r /sbin/.magisk/modules/*/system/* /system
If you need to revert changes then you can delete two folders and create them again. Or you can delete module files like this
cd /sbin/.magisk/modules/{Module Name}/system/
find -exec rm /system/{} \;
cd /data/system/ou
find . -type d -empty -delete
If you want to boot with real /system then just rename two folders
mount -t overlay
overlay on /system type overlay (rw,seclabel,relatime,lowerdir=/system,upperdir=/data/system/ou,workdir=/data/system/ow)
mount | grep " / "
/dev/block/dm-0 on / type ext4 (ro,seclabel,nodev,relatime,discard)
Pervokur said:
mount -t overlay
overlay on /system type overlay (rw,seclabel,relatime,lowerdir=/system,upperdir=/data/system/ou,workdir=/data/system/ow)
mount | grep " / "
/dev/block/dm-0 on / type ext4 (ro,seclabel,nodev,relatime,discard)
Click to expand...
Click to collapse
This is extremely helpful and has given me a very clear path to solve problems with Vivo root. I will implement these suggestions. Thanks a lot.
NextGenMagisk said:
This is extremely helpful and has given me a very clear path to solve problems with Vivo root. I will implement these suggestions. Thanks a lot.
Click to expand...
Click to collapse
Another tip from me. There is a way to have system rw for magisk root. At least it works for me on LOS19.1 userdebug gsi, vndklite variant, magisk24.3
Normaly
magisk-su: mount -o rw,remount /
operation not permitted
adb root:mount -o rw,remount /
ok
but / is still ro for magisk-su
Then I just kill surfaceflinger which leads to zygote restart(aka soft reboot)
su -c killall surfaceflinger
After booting / is rw for magisk-su and you can work with partition in file manager like Total Commander.
Pervokur said:
Another tip from me. There is a way to have system rw for magisk root. At least it works for me on LOS19.1 userdebug gsi, vndklite variant, magisk24.3
Normaly
magisk-su: mount -o rw,remount /
operation not permitted
adb root:mount -o rw,remount /
ok
but / is still ro for magisk-su
Then I just kill surfaceflinger which leads to zygote restart(aka soft reboot)
su -c killall surfaceflinger
After booting / is rw for magisk-su and you can work with partition in file manager like Total Commander.
Click to expand...
Click to collapse
Again a great tip, thanks!
I am currently testing your previous suggestions to inject custom init script on Y33s.
you can test this with adb root without editing boot.img or init.rc
NextGenMagisk said:
Again a great tip, thanks!
I am currently testing your previous suggestions to inject custom init script on Y33s.
Click to expand...
Click to collapse
adb shell
mount -t overlay overlay -o lowerdir=/system,upperdir=/data/system/ou,workdir=/data/system/ow /system
mount /sbin/.magisk/zygisk/app_process32 /system/bin/app_process32
mount /sbin/.magisk/zygisk/app_process64 /system/bin/app_process64
then restart zygote
killall surfaceflinger
zygote will restart, but mounts will still be there
Pervokur said:
you can test this with adb root without editing boot.img or init.rc
adb shell
mount -t overlay overlay -o lowerdir=/system,upperdir=/data/system/ou,workdir=/data/system/ow /system
mount /sbin/.magisk/zygisk/app_process32 /system/bin/app_process32
mount /sbin/.magisk/zygisk/app_process64 /system/bin/app_process64
Click to expand...
Click to collapse
mount overlay is working when executed from adb root.
but i cant get past the second step:
2109:/data/system/ow # mount /sbin/.magisk/zygisk/app_process32 /system/bin/app_process32
mount: '/sbin/.magisk/zygisk/app_process32'->'/system/bin/app_process32': No such file or directory
1|2109:/data/system/ow #
1|2109:/data/system/ow # mount /sbin/.magisk/zygisk/app_process64 /system/bin/app_process64
mount: '/sbin/.magisk/zygisk/app_process64'->'/system/bin/app_process64': No such file or directory
what must be causing this?
NextGenMagisk said:
mount overlay is working when executed from adb root.
but i cant get past the second step:
2109:/data/system/ow # mount /sbin/.magisk/zygisk/app_process32 /system/bin/app_process32
mount: '/sbin/.magisk/zygisk/app_process32'->'/system/bin/app_process32': No such file or directory
1|2109:/data/system/ow #
1|2109:/data/system/ow # mount /sbin/.magisk/zygisk/app_process64 /system/bin/app_process64
mount: '/sbin/.magisk/zygisk/app_process64'->'/system/bin/app_process64': No such file or directory
what must be causing this?
Click to expand...
Click to collapse
you didn't activate zygisk in magisk settings, so there are no files /sbin/.magisk/zygisk/app_process32
/sbin/.magisk/zygisk/app_process64
Pervokur said:
you didn't activate zygisk in magisk settings, so there are no files /sbin/.magisk/zygisk/app_process32
/sbin/.magisk/zygisk/app_process64
Click to expand...
Click to collapse
I cant enable it because Magisk daemon does not run at boot. Superuser tab in the app is greyed out.
testing this on a Vivo PD2147F debug build with Magisk patched boot and ofs.rc entry included.
NextGenMagisk said:
I cant enable it because Magisk daemon does not run at boot. Superuser tab in the app is greyed out.
testing this on a Vivo PD2147F debug build with Magisk patched boot and ofs.rc entry included.
Click to expand...
Click to collapse
even with magisk 24.3?
Pervokur said:
even with magisk 24.3?
Click to expand...
Click to collapse
Yes, patched magisk 24306. tmp dir with random name under /dev is created with root rights but the magic mount fails and hence the superuser tab is greyed out.
Magisk issue #5148
VIVO/iQOO kernel restictions: "Operation not permitted" when executing `su` or mounting to `/system`, or bootloops if rooted · Issue #5148 · topjohnwu/Magisk
Device: iQOO Z1/VIVO X70 PRO/iQOO NEO3, and more Android version: N/A Magisk version name: N/A Magisk version code: N/A, but more serious since 24302 Magisk fails to mount /system on some Vivo/iQOO...
github.com
Then you should manually add something like this to the end of init.rc
on load_persist_props_action
exec u:r:su:s0 -- /system/bin/mount -t overlay overlay -o lowerdir=/system,upperdir=/data/system/ou,workdir=/data/system/ow /system
on zygote-start
exec u:r:su:s0 -- /system/bin/mount /sbin/.magisk/zygisk/app_process32 /system/bin/app_process32
exec u:r:su:s0 -- /system/bin/mount /sbin/.magisk/zygisk/app_process64 /system/bin/app_process64
on post-fs-data
start logd
rm /dev/.magisk_unblock
start mqVxwb7J
wait /dev/.magisk_unblock 40
rm /dev/.magisk_unblock
service mqVxwb7J /sbin/magisk --post-fs-data
user root
seclabel u:r:magisk:s0
oneshot
service DC83jQtNHiJDw8 /sbin/magisk --service
class late_start
user root
seclabel u:r:magisk:s0
oneshot
on property:sys.boot_completed=1
start Zaw2TLXyH
service Zaw2TLXyH /sbin/magisk --boot-complete
user root
seclabel u:r:magisk:s0
oneshot
I replaced old /system/bin/toybox with a new binary from http://landley.net/toybox/bin then I created symlinks with for i in $(./toybox); do ln -s toybox $i. There is su in symlinks.
Now I cannot open Magisk anymore, stuck at splash screen mask.
Also MiXplorer cannot browse root dirs.
With Terminal Emulator I can still browse root dirs.
If I type which su I get /sbin/su which is a symlink to /sbin/magisk.
I have not yet tried to reboot because I fear to get stuck, maybe it would repair by itself but who knows?
If I type whoami I get bad uid 0, after su shell I get bad uid 2000 and so on.
How can I restore root? I can access TWRP recovery.
how about /sbin/su -c unlink /system/bin/su or wherever you symlinked toybox applets?
are you sure that binary is actually a replacement including all android specific applets (like getevent) for built-in toybox?
why did you replace system files in first place if you're actually on Magisk and could just use systemless overlays instead?
If I try to unlink it says it's read-only file system. I could try to do it in recovery but I'm afraid to reboot...
What is strange is that which su points to /sbin/magisk, so it should not consider the other su symlink to toybox
Another thing I noticed is that new symlink to toybox created with my script are root both UID and GID, while existing ones are root UID and shell GID
Toybox binary is specific for my Android ARMv8 http://landley.net/toybox/downloads/binaries/0.8.9/toybox-aarch64.
You are right about systemless overlays.
aarch64 is only the cpu architecture, doesn't say anything about android.
how did you install toybox on read-only file system? remount -o,rw /
ok, however the arch is right for my Snap855, I tried other applets embedded in toybox, like factor, and they work.
I used MiXplorer to write to system, I gave it root permissions so it could work on it. Now MiX is unarmed and Terminal Emulator can only read into root dirs but not write.
quick check with my toybox yours is missing all android specific applets
Code:
:/ $ cd $HOME
:/data/user/0/jackpal.androidterm/app_HOME $ ls -la
total 780
drwxrwx--x 2 u0_a152 u0_a152 4096 2023-01-30 14:46 .
drwxr-x--x 6 u0_a152 u0_a152 4096 2023-01-28 01:58 ..
-rwx--x--x 1 u0_a152 u0_a152 783680 2023-01-30 14:24 toybox
:/data/user/0/jackpal.androidterm/app_HOME $ ./toybox --version
toybox 0.8.9
:/data/user/0/jackpal.androidterm/app_HOME $ toybox --version
toybox 0.7.6-android
:/data/user/0/jackpal.androidterm/app_HOME $ for i in $(toybox); do ./toybox | grep -qw $i || echo $i; done
chcon
dd
diff
expr
getenforce
getfattr
gzip
load_policy
lsof
modprobe
more
restorecon
runcon
sendevent
setenforce
setprop
start
stop
stty
tr
traceroute
traceroute6
you should reinstall stock toybox from TWRP backup.
edit: this might help
Code:
:/ $ ls -lZ /system/bin/toybox
-rwxr-xr-x 1 root shell u:object_r:toolbox_exec:s0 352532 2008-12-31 17:00 /system/bin/toybox
I renamed the old toybox, so I could restore it from recovery.
Btw, I get this with ls -lZ
-rwxr-xr-x 1 0 2000 ? 825176 2023-01-29 07:34 /system/bin/toybox
Seem to have lost context there.
Thanks for your quick replies.
either you're on Jelly bean or you lost secontext. repair with chcon
Code:
chcon u:object_r:toolbox_exec:s0 /system/bin/toybox
You are right, new toybox does not have specific Android applet, like chcon or restorecon.
So, please correct me if I'm wrong, I reboot in TWRP, restore old toybox.
Then should I run chcon / restorecon or reboot straight away?
I lost secontext in all root dirs /, /system, /vendor, /sdcard...
not sure what ROM you're talking about. maybe you used ls of wrong toybox?
Don't understand your answer, what ROM are you referring to?
If I ./"toybox old" restorecon I get restorecon: Needs 1 argument (see "restorecon --help")
If I restorecon I get toybox: Unknown command restorecon (see "toybox --help")
Please advise me if it's right to restore old toybox via TWRP and reboot to system or there's the need to chcon / restorecon, thanks
please give the output of
Code:
grep ro.build.fingerprint /system/build.prop /system*/system/build.prop
it's very unlikely you lost every secontext. either it never existed or you just can't view.
restorecon won't help you much. only restoring TWRP backup could restore secontext as it was before.
grep ro.build.fingerprint /system/build.prop
ro.build.fingerprint=Xiaomi/cepheus_eea/cepheus:10/QKQ1.190825.002/V11.0.9.0.QFAEUXM:user/release-keys
ro.build.fingerprint_real=Xiaomi/cepheus/cepheus:10/QKQ1.190825.002/20.7.2:user/release-keys/1593694646
so your ROM is stock ROM Android 10 it must have secontext of course. in case it's true you lost every secontext best is download cepheus_eea_global_images_V11.0.9.0.QFAEUXM_20200421.0000.00_10.0_eea_31715f4bd1.tgz and flash_all_except_storage.bat
(you can backup boot in TWRP beforehand and flash boot.emmc.win from fastboot right after)
edit: build.prop usually is in /system(_root)/system/build.prop on new devices, so most likely what you think is build.prop is just from the TWRP image used.
maybe you didn't mount System?
Resolved
Rebooted into TWRP, restored original toybox, deleted my symlinks, checked secontexts ok, rebooted to system, all fine.
Thank for your support
you can place toybox in /data/adb/modules/toybox/system/xbin/toybox, make a diff and only symlink missing applets in there.
then create modules.prop, reboot and done.